Zachary Loeber

I eat complexity and am never without a meal.

Exchange: Stop Email Exfiltration

When your users leave or get removed from the organization they may still be getting company confidential information. Here is how you can find out and stop this from happening.

I’ve seen this in numerous organizations so I figured I’d toss up a quick post and script for those who are interested in minimizing email exfiltration from occurring. Imagine this scenario:

  1. Bob from sales is going to be moving on from the organization. He has given his two weeks and is careful not to burn bridges on the way out (so he is not abruptly terminated).
  2. On his last day his AD account is disabled, password reset, and his activesync devices are removed and remote wiped.
  3. As an additional measure Bob’s AD account had all groups removed and was moved to a ‘Disabled’ organizational unit.
  4. His replacement is delegated rights to access and manage his mailbox so they can respond to clients he may have been working with.
  5. Bob goes on to work for a competitor. Somehow Bob always seems to be able to reach out to and connect with prospective clients of yours that come in through an inquiry form on your website. He has managed to spear several large clients for his new employer because of this.

In the above example what is not said is that Bob setup some inbox rules in Outlook to forward a copy of any email received to another email account outside of the organization! Even if he was removed from all groups it wouldn’t matter if there were another inbox rule forwarding him the web inquiries (or even worse, if the web form just emailed a static list of users). This also doesn’t account for dynamic distribution lists which may be based on attributes  which are not cleared in the off-boarding process.

The gist of the issue is that email which should not be leaving the organization is flowing out to external sources. The quickest way to determine if this is something your organization suffers from is with a quick PowerShell Script.

This should run on Exchange 2010/2013 and Office 365 (I’ve not tested for Exchange 2007). The results should provide everything you need to find out which disabled accounts are forwarding email outside of the organization with something like this:

Once inbox rules are found it is a simple matter of piping ones you want removed to Remove-InboxRule. I’ve posted this script in my Github repo some time ago but made some improvements recently. Anyway, It may be worth a few of your cycles to run this in your own environment to see if any wayward email is flowing out of your organization.